Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 27 Jan 2002 20:30:26 +0000
From:      Nik Clayton <nik@freebsd.org>
To:        Paul David Fardy <pdf@morgan.ucs.mun.ca>
Cc:        Nik Clayton <nik@FreeBSD.ORG>, Patrick Greenwell <patrick@stealthgeeks.net>, stable@FreeBSD.ORG
Subject:   Re: Firewall config non-intuitiveness
Message-ID:  <20020127203026.B40565@clan.nothing-going-on.org>
In-Reply-To: <200201251647.g0PGlt76013243@plato.ucs.mun.ca>; from pdf@morgan.ucs.mun.ca on Fri, Jan 25, 2002 at 04:51:33PM %2B0000
References:  <200201251647.g0PGlt76013243@plato.ucs.mun.ca>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On Fri, Jan 25, 2002 at 04:51:33PM +0000, Paul David Fardy wrote:
> Nik Clayton <nik@FreeBSD.ORG> wrote:
> >> I've got a hunch this needs to be a tri-state variable.
> >>
> >>    YES -- Load the firewall rules
> >>    NO  -- Do nothing, default policy is compiled in to the kernel
> >>    OFF -- Explicitly set net.inet.ip.fw.enable=0
> >>
> >> or similar.
> 
> Is there a precedent for such tri-state variables in the conf files?

Dunno.  And breaking it out in to multiple variables might be better.

> Would it not be better to have a second "enable" variable?
> 
>  firewall_enable="NO"         # Set to YES to enable firewall functionality
> 						# Set to DEFAULT to defer to kernel
>  firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall
>  firewall_script_enable="YES" # Run ${firewall_script} (or NO)

Why not ditch firewall_enable in new installs (or make it a synonym for
firewall_script_enable, which would be more accurate), and teach ipfw
how to kldload ipfw.ko if it's not already running?

N
-- 
FreeBSD: The Power to Serve      http://www.freebsd.org/               (__)
FreeBSD Documentation Project    http://www.freebsd.org/docproj/    \\\'',)
                                                                      \/  \ ^
   --- 15B8 3FFC DDB4 34B0 AA5F  94B7 93A8 0764 2C37 E375 ---         .\._/_)

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjxUY2IACgkQk6gHZCw343VHRACePLfDPrQrNk0LWDph6qu6I1RT
VekAniC1XyYeruU+73jbcapZMNfaMxKN
=FvYd
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020127203026.B40565>